incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: OpenOffice Security Vulnerability Reporting
Date Thu, 07 Jul 2011 13:59:48 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/07/2011 14:48, Rob Weir wrote:
> Bringing the threads together on the public list so we can (hopefully)
> quickly discuss.
> 
> As I understand it now, the OpenOffice.org currently directs visitors
> to report vulnerability reports to securityteam@openoffice.org. This
> address is currently being monitored.
> 
> And at Apache we ask vulnerabilities to be reported to
> security@apache.org, after which they are forwarded to the particular
> project's private email list where such matters can be analyzed in
> confidence, avoiding premature disclosure.
> 
> Since the OpenOffice project is in the process of migrating to Apache,
> a process which will take several months, it is important that
> relevant information be shared, rapidly, confidentially and reliably.
> 
> I'd like to propose something simple, namely that relevant information
> received by Apache should be quickly forwarded to
> securityteam@openoffice.org, and that relevant information received by
> securityteam@openoffice.org should be quickly forwarded to
> security@apache.org.
> 
> Also, if securityteam@openoffice.org has a list of other security
> contacts with whom they routinely share pre-public disclosure security
> information, we'd appreciate having that list, sent to our private
> list: ooo-private@incubator.apache.org.

Access to ooo-private@incubator.apache.org is too open for security
issues. ooo-security@incubator.apache.org needs to be set up with access
limited to a small, trusted set of individuals. The current subscribers
to securityteam@openoffice.org would be a good place to start.

Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOFbvUAAoJEBDAHFovYFnncOkQAKI0X+YXdKQDbD517K8dR0xQ
ELifc7I61qvDvjglcLTocXQDXxuh3lE+TdneB2lgaAvndbVws7lNFdR9hBc3IJZM
GwfUOG5SVHhojkABDlG6XNvLB30lKlqYze13clkMC3WVi4wBVcG3UJErd9ojP7ed
AccNdZuODNj2kEKYNlN8i9/6xhFVKj2t+gTj9q3RBwjNJCwkphCOvtg9w2Mx5MSc
FiI08cJuk6pcXkcnohV1XaXeuDGIw9FC08n5wh/lET3YJ1/PMXox++QR8y/PNWYv
U3ee7XK8d61gzrzu5pEZSm+NWqtpJ6O1+OxkCdrhwdR6UaXtnWBvbhzyJSNH7b5u
njrql7iojbiFBLhAjLXzzIP71wp2AzaANHBqUbGWdL0kkcV88gSp4BvOsIT5mA58
tgoxJKLmJRPucZbJczDH/TNbdDXu2msUuRHixHH7PFh00702YNUTfXcsxt4Tlu2Y
hDGVuzzVfHOodY5LsQdycVY4NEwBj05QDhFaR9CP0d8N9nem+Evy5U9VpktNScmx
D1lJfkLW5Ap9yi/wj8w7+tknTmkVUCW7HfyUtsx3mr7Z1gjQX1tjB56T9NiCsfVD
DeXihrsGSkgXQxjkIJIzHf3UZCdNjY/et1H1GhH8IscVzaEMJZ4BDZrpjLH5QeOf
z+MOHSxIYeXY8tJDTNVo
=ZagC
-----END PGP SIGNATURE-----



Mime
View raw message